From a270f9e72286cefb2383b80d7be99745848d1553 Mon Sep 17 00:00:00 2001 From: Matej Vasek Date: Wed, 26 Jul 2023 22:03:41 +0200 Subject: [PATCH] Fix pod security context (#1889) * Revert "src: Use jobs not plain pods for auxiliary tasks (#1857)" This reverts commit cb6f33d924ae3351edd393bb1b6191a49074c6be. * refactor: move code from openshift This is needed to avoid circular package dependencies. Signed-off-by: Matej Vasek * fix: set pod SC only on non-OpenShift Signed-off-by: Matej Vasek --------- Signed-off-by: Matej Vasek --- cmd/client.go | 12 +-- pkg/config/config.go | 5 +- pkg/http/openshift.go | 38 +++++++++ pkg/{openshift => http}/openshift_test.go | 9 +-- pkg/k8s/dialer.go | 96 +++++++++------------- pkg/{openshift => k8s}/openshift.go | 99 +++++++++++++---------- pkg/k8s/persistent_volumes.go | 81 ++++++++----------- pkg/k8s/security_context.go | 42 ++++++++++ pkg/openshift/metadata.go | 50 ------------ test/common/config.go | 6 +- 10 files changed, 223 insertions(+), 215 deletions(-) create mode 100644 pkg/http/openshift.go rename pkg/{openshift => http}/openshift_test.go (74%) rename pkg/{openshift => k8s}/openshift.go (58%) create mode 100644 pkg/k8s/security_context.go delete mode 100644 pkg/openshift/metadata.go diff --git a/cmd/client.go b/cmd/client.go index 91a187c84..8b53be89b 100644 --- a/cmd/client.go +++ b/cmd/client.go @@ -12,8 +12,8 @@ import ( "knative.dev/func/pkg/docker/creds" fn "knative.dev/func/pkg/functions" fnhttp "knative.dev/func/pkg/http" + "knative.dev/func/pkg/k8s" "knative.dev/func/pkg/knative" - "knative.dev/func/pkg/openshift" "knative.dev/func/pkg/pipelines/tekton" "knative.dev/func/pkg/progress" ) @@ -103,7 +103,7 @@ func NewClient(cfg ClientConfig, options ...fn.Option) (*fn.Client, func()) { // newTransport returns a transport with cluster-flavor-specific variations // which take advantage of additional features offered by cluster variants. func newTransport(insecureSkipVerify bool) fnhttp.RoundTripCloser { - return fnhttp.NewRoundTripper(fnhttp.WithInsecureSkipVerify(insecureSkipVerify), openshift.WithOpenShiftServiceCA()) + return fnhttp.NewRoundTripper(fnhttp.WithInsecureSkipVerify(insecureSkipVerify), fnhttp.WithOpenShiftServiceCA()) } // newCredentialsProvider returns a credentials provider which possibly @@ -114,7 +114,7 @@ func newCredentialsProvider(configPath string, t http.RoundTripper) docker.Crede creds.WithPromptForCredentials(prompt.NewPromptForCredentials(os.Stdin, os.Stdout, os.Stderr)), creds.WithPromptForCredentialStore(prompt.NewPromptForCredentialStore()), creds.WithTransport(t), - creds.WithAdditionalCredentialLoaders(openshift.GetDockerCredentialLoaders()...), + creds.WithAdditionalCredentialLoaders(k8s.GetOpenShiftDockerCredentialLoaders()...), } // Other cluster variants can be supported here @@ -144,18 +144,18 @@ func newKnativeDeployer(namespace string, verbose bool) fn.Deployer { } type deployDecorator struct { - oshDec openshift.OpenshiftMetadataDecorator + oshDec k8s.OpenshiftMetadataDecorator } func (d deployDecorator) UpdateAnnotations(function fn.Function, annotations map[string]string) map[string]string { - if openshift.IsOpenShift() { + if k8s.IsOpenShift() { return d.oshDec.UpdateAnnotations(function, annotations) } return annotations } func (d deployDecorator) UpdateLabels(function fn.Function, labels map[string]string) map[string]string { - if openshift.IsOpenShift() { + if k8s.IsOpenShift() { return d.oshDec.UpdateLabels(function, labels) } return labels diff --git a/pkg/config/config.go b/pkg/config/config.go index 780a9b857..a140598ee 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -13,7 +13,6 @@ import ( "knative.dev/func/pkg/builders" fn "knative.dev/func/pkg/functions" "knative.dev/func/pkg/k8s" - "knative.dev/func/pkg/openshift" ) const ( @@ -77,8 +76,8 @@ func (c Global) RegistryDefault() string { return c.Registry } switch { - case openshift.IsOpenShift(): - return openshift.GetDefaultRegistry() + case k8s.IsOpenShift(): + return k8s.GetDefaultOpenShiftRegistry() default: return "" } diff --git a/pkg/http/openshift.go b/pkg/http/openshift.go new file mode 100644 index 000000000..0d9b5d893 --- /dev/null +++ b/pkg/http/openshift.go @@ -0,0 +1,38 @@ +package http + +import ( + "context" + "crypto/x509" + "fmt" + "strings" + "sync" + + "knative.dev/func/pkg/k8s" +) + +const openShiftRegistryHost = "image-registry.openshift-image-registry.svc" + +// WithOpenShiftServiceCA enables trust to OpenShift's service CA for internal image registry +func WithOpenShiftServiceCA() Option { + var err error + var ca *x509.Certificate + var o sync.Once + + selectCA := func(ctx context.Context, serverName string) (*x509.Certificate, error) { + if strings.HasPrefix(serverName, openShiftRegistryHost) { + o.Do(func() { + ca, err = k8s.GetOpenShiftServiceCA(ctx) + if err != nil { + err = fmt.Errorf("cannot get CA: %w", err) + } + }) + if err != nil { + return nil, err + } + return ca, nil + } + return nil, nil + } + + return WithSelectCA(selectCA) +} diff --git a/pkg/openshift/openshift_test.go b/pkg/http/openshift_test.go similarity index 74% rename from pkg/openshift/openshift_test.go rename to pkg/http/openshift_test.go index 545fd057a..edc7c3a00 100644 --- a/pkg/openshift/openshift_test.go +++ b/pkg/http/openshift_test.go @@ -1,24 +1,23 @@ //go:build integration // +build integration -package openshift_test +package http_test import ( "net/http" - "testing" fnhttp "knative.dev/func/pkg/http" - "knative.dev/func/pkg/openshift" + "knative.dev/func/pkg/k8s" ) func TestRoundTripper(t *testing.T) { - if !openshift.IsOpenShift() { + if !k8s.IsOpenShift() { t.Skip("The cluster in not an instance of OpenShift.") return } - transport := fnhttp.NewRoundTripper(openshift.WithOpenShiftServiceCA()) + transport := fnhttp.NewRoundTripper(fnhttp.WithOpenShiftServiceCA()) defer transport.Close() client := http.Client{ diff --git a/pkg/k8s/dialer.go b/pkg/k8s/dialer.go index 694f4edfa..d45c7386e 100644 --- a/pkg/k8s/dialer.go +++ b/pkg/k8s/dialer.go @@ -16,14 +16,13 @@ import ( "syscall" "time" - batchV1 "k8s.io/api/batch/v1" coreV1 "k8s.io/api/core/v1" metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/util/rand" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes/scheme" - batchv1 "k8s.io/client-go/kubernetes/typed/batch/v1" v1 "k8s.io/client-go/kubernetes/typed/core/v1" restclient "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" @@ -65,9 +64,7 @@ func NewInClusterDialer(ctx context.Context, clientConfig clientcmd.ClientConfig type contextDialer struct { coreV1 v1.CoreV1Interface clientConfig clientcmd.ClientConfig - batchV1 batchv1.BatchV1Interface restConf *restclient.Config - jobName string podName string namespace string detachChan chan struct{} @@ -188,13 +185,9 @@ func (c *contextDialer) Close() error { close(c.detachChan) ctx, cancel := context.WithTimeout(context.Background(), time.Minute*1) defer cancel() + delOpts := metaV1.DeleteOptions{} - pp := metaV1.DeletePropagationForeground - delOpts := metaV1.DeleteOptions{ - PropagationPolicy: &pp, - } - - return c.batchV1.Jobs(c.namespace).Delete(ctx, c.jobName, delOpts) + return c.coreV1.Pods(c.namespace).Delete(ctx, c.podName, delOpts) } func (c *contextDialer) startDialerPod(ctx context.Context) (err error) { @@ -213,16 +206,16 @@ func (c *contextDialer) startDialerPod(ctx context.Context) (err error) { if err != nil { return } - c.coreV1 = client.CoreV1() - c.batchV1 = client.BatchV1() c.namespace, _, err = c.clientConfig.Namespace() if err != nil { return } - jobs := client.BatchV1().Jobs(c.namespace) + pods := client.CoreV1().Pods(c.namespace) + + c.podName = "in-cluster-dialer-" + rand.String(5) defer func() { if err != nil { @@ -230,49 +223,39 @@ func (c *contextDialer) startDialerPod(ctx context.Context) (err error) { } }() - c.jobName = "in-cluster-dialer-" + rand.String(5) - - job := &batchV1.Job{ + pod := &coreV1.Pod{ ObjectMeta: metaV1.ObjectMeta{ - Name: c.jobName, + Name: c.podName, + Labels: nil, + Annotations: nil, }, - Spec: batchV1.JobSpec{ - Template: coreV1.PodTemplateSpec{ - Spec: coreV1.PodSpec{ - Containers: []coreV1.Container{ - { - Name: "container", - Image: SocatImage, - Stdin: true, - StdinOnce: true, - Command: []string{"socat", "-u", "-", "OPEN:/dev/null"}, - }, - }, - DNSPolicy: coreV1.DNSClusterFirst, - RestartPolicy: coreV1.RestartPolicyNever, + Spec: coreV1.PodSpec{ + SecurityContext: defaultPodSecurityContext(), + Containers: []coreV1.Container{ + { + Name: c.podName, + Image: SocatImage, + Stdin: true, + StdinOnce: true, + Command: []string{"socat", "-u", "-", "OPEN:/dev/null"}, + SecurityContext: defaultSecurityContext(client), }, }, + DNSPolicy: coreV1.DNSClusterFirst, + RestartPolicy: coreV1.RestartPolicyNever, }, } - creatOpts := metaV1.CreateOptions{} - podChan, err := podReady(ctx, c.coreV1, c.jobName, c.namespace) - if err != nil { - return fmt.Errorf("cannot setup pod watch: %w", err) - } + ready := podReady(ctx, c.coreV1, c.podName, c.namespace) - _, err = jobs.Create(ctx, job, creatOpts) + _, err = pods.Create(ctx, pod, creatOpts) if err != nil { return } select { - case poe := <-podChan: - if poe.err != nil { - return poe.err - } - c.podName = poe.pod.Name + case err = <-ready: case <-ctx.Done(): err = ctx.Err() case <-time.After(time.Minute * 1): @@ -310,7 +293,7 @@ func (c *contextDialer) exec(hostPort string, in io.Reader, out, errOut io.Write SubResource("exec") req.VersionedParams(&coreV1.PodExecOptions{ Command: []string{"socat", "-dd", "-", fmt.Sprintf("TCP:%s", hostPort)}, - Container: "container", + Container: c.podName, Stdin: true, Stdout: true, Stderr: true, @@ -337,7 +320,7 @@ func attach(restClient restclient.Interface, restConf *restclient.Config, podNam Namespace(namespace). SubResource("attach") req.VersionedParams(&coreV1.PodAttachOptions{ - Container: "container", + Container: podName, Stdin: true, Stdout: true, Stderr: true, @@ -357,30 +340,26 @@ func attach(restClient restclient.Interface, restConf *restclient.Config, podNam }) } -type podOrError struct { - pod *coreV1.Pod - err error -} - -func podReady(ctx context.Context, core v1.CoreV1Interface, jobName, namespace string) (result <-chan podOrError, err error) { - outChan := make(chan podOrError, 1) - result = outChan +func podReady(ctx context.Context, core v1.CoreV1Interface, podName, namespace string) (errChan <-chan error) { + d := make(chan error) + errChan = d pods := core.Pods(namespace) + nameSelector := fields.OneTermEqualSelector("metadata.name", podName).String() listOpts := metaV1.ListOptions{ Watch: true, - LabelSelector: "job-name=" + jobName, + FieldSelector: nameSelector, } watcher, err := pods.Watch(ctx, listOpts) if err != nil { - return nil, err + return } go func() { defer watcher.Stop() - watchChan := watcher.ResultChan() - for event := range watchChan { + ch := watcher.ResultChan() + for event := range ch { pod, ok := event.Object.(*coreV1.Pod) if !ok { continue @@ -389,7 +368,7 @@ func podReady(ctx context.Context, core v1.CoreV1Interface, jobName, namespace s if event.Type == watch.Modified { for _, status := range pod.Status.ContainerStatuses { if status.Ready { - outChan <- podOrError{pod: pod} + d <- nil return } if status.State.Waiting != nil { @@ -400,10 +379,9 @@ func podReady(ctx context.Context, core v1.CoreV1Interface, jobName, namespace s "InvalidImageName", "CrashLoopBackOff", "ImagePullBackOff": - e := fmt.Errorf("reason: %v, message: %v", + d <- fmt.Errorf("reason: %v, message: %v", status.State.Waiting.Reason, status.State.Waiting.Message) - outChan <- podOrError{err: e} return default: continue diff --git a/pkg/openshift/openshift.go b/pkg/k8s/openshift.go similarity index 58% rename from pkg/openshift/openshift.go rename to pkg/k8s/openshift.go index 95756b522..6af64c540 100644 --- a/pkg/openshift/openshift.go +++ b/pkg/k8s/openshift.go @@ -1,12 +1,10 @@ -package openshift +package k8s import ( "context" "crypto/x509" "encoding/pem" "errors" - "fmt" - "strings" "sync" "time" @@ -18,17 +16,16 @@ import ( "knative.dev/func/pkg/docker" "knative.dev/func/pkg/docker/creds" - fnhttp "knative.dev/func/pkg/http" - "knative.dev/func/pkg/k8s" + fn "knative.dev/func/pkg/functions" ) const ( - registryHost = "image-registry.openshift-image-registry.svc" - registryHostPort = registryHost + ":5000" + openShiftRegistryHost = "image-registry.openshift-image-registry.svc" + openShiftRegistryHostPort = openShiftRegistryHost + ":5000" ) -func GetServiceCA(ctx context.Context) (*x509.Certificate, error) { - client, ns, err := k8s.NewClientAndResolvedNamespace("") +func GetOpenShiftServiceCA(ctx context.Context) (*x509.Certificate, error) { + client, ns, err := NewClientAndResolvedNamespace("") if err != nil { return nil, err } @@ -88,42 +85,17 @@ func GetServiceCA(ctx context.Context) (*x509.Certificate, error) { } } -// WithOpenShiftServiceCA enables trust to OpenShift's service CA for internal image registry -func WithOpenShiftServiceCA() fnhttp.Option { - var err error - var ca *x509.Certificate - var o sync.Once - - selectCA := func(ctx context.Context, serverName string) (*x509.Certificate, error) { - if strings.HasPrefix(serverName, registryHost) { - o.Do(func() { - ca, err = GetServiceCA(ctx) - if err != nil { - err = fmt.Errorf("cannot get CA: %w", err) - } - }) - if err != nil { - return nil, err - } - return ca, nil - } - return nil, nil - } - - return fnhttp.WithSelectCA(selectCA) -} - -func GetDefaultRegistry() string { - ns, _ := k8s.GetNamespace("") +func GetDefaultOpenShiftRegistry() string { + ns, _ := GetNamespace("") if ns == "" { ns = "default" } - return registryHostPort + "/" + ns + return openShiftRegistryHostPort + "/" + ns } -func GetDockerCredentialLoaders() []creds.CredentialsCallback { - conf := k8s.GetClientConfig() +func GetOpenShiftDockerCredentialLoaders() []creds.CredentialsCallback { + conf := GetClientConfig() rawConf, err := conf.RawConfig() if err != nil { @@ -143,7 +115,7 @@ func GetDockerCredentialLoaders() []creds.CredentialsCallback { return []creds.CredentialsCallback{ func(registry string) (docker.Credentials, error) { - if registry == registryHostPort { + if registry == openShiftRegistryHostPort { return credentials, nil } return docker.Credentials{}, creds.ErrCredentialsNotFound @@ -158,7 +130,7 @@ var checkOpenShiftOnce sync.Once func IsOpenShift() bool { checkOpenShiftOnce.Do(func() { isOpenShift = false - client, err := k8s.NewKubernetesClientset() + client, err := NewKubernetesClientset() if err != nil { return } @@ -170,3 +142,48 @@ func IsOpenShift() bool { }) return isOpenShift } + +const ( + annotationOpenShiftVcsUri = "app.openshift.io/vcs-uri" + annotationOpenShiftVcsRef = "app.openshift.io/vcs-ref" + + labelAppK8sInstance = "app.kubernetes.io/instance" + labelOpenShiftRuntime = "app.openshift.io/runtime" +) + +var iconValuesForRuntimes = map[string]string{ + "go": "golang", + "node": "nodejs", + "python": "python", + "quarkus": "quarkus", + "springboot": "spring-boot", +} + +type OpenshiftMetadataDecorator struct{} + +func (o OpenshiftMetadataDecorator) UpdateAnnotations(f fn.Function, annotations map[string]string) map[string]string { + if annotations == nil { + annotations = map[string]string{} + } + annotations[annotationOpenShiftVcsUri] = f.Build.Git.URL + annotations[annotationOpenShiftVcsRef] = f.Build.Git.Revision + + return annotations +} + +func (o OpenshiftMetadataDecorator) UpdateLabels(f fn.Function, labels map[string]string) map[string]string { + if labels == nil { + labels = map[string]string{} + } + + // this label is used for referencing a Tekton Pipeline and deployed KService + labels[labelAppK8sInstance] = f.Name + + // if supported, set the label representing a runtime icon in Developer Console + iconValue, ok := iconValuesForRuntimes[f.Runtime] + if ok { + labels[labelOpenShiftRuntime] = iconValue + } + + return labels +} diff --git a/pkg/k8s/persistent_volumes.go b/pkg/k8s/persistent_volumes.go index a826298e3..92bdccd39 100644 --- a/pkg/k8s/persistent_volumes.go +++ b/pkg/k8s/persistent_volumes.go @@ -12,7 +12,6 @@ import ( "syscall" "time" - batchV1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/resource" @@ -102,79 +101,65 @@ func runWithVolumeMounted(ctx context.Context, podImage string, podCommand []str return fmt.Errorf("cannot get namespace: %w", err) } - jobName := "volume-uploader-" + rand.String(5) + podName := "volume-uploader-" + rand.String(5) pods := client.CoreV1().Pods(namespace) - jobs := client.BatchV1().Jobs(namespace) defer func() { - pp := metav1.DeletePropagationForeground - delOpts := metav1.DeleteOptions{ - PropagationPolicy: &pp, - } - _ = jobs.Delete(ctx, jobName, delOpts) + _ = pods.Delete(ctx, podName, metav1.DeleteOptions{}) }() const volumeMntPoint = "/tmp/volume_mnt" const pVol = "p-vol" - job := &batchV1.Job{ + pod := &corev1.Pod{ ObjectMeta: metav1.ObjectMeta{ - Name: jobName, + Name: podName, + Labels: nil, + Annotations: nil, }, - Spec: batchV1.JobSpec{ - - Template: corev1.PodTemplateSpec{ - Spec: corev1.PodSpec{ - Containers: []corev1.Container{ + Spec: corev1.PodSpec{ + SecurityContext: defaultPodSecurityContext(), + Containers: []corev1.Container{ + { + Name: podName, + Image: podImage, + Stdin: true, + StdinOnce: true, + WorkingDir: volumeMntPoint, + Command: podCommand, + VolumeMounts: []corev1.VolumeMount{ { - Name: "container", - Image: podImage, - Stdin: true, - StdinOnce: true, - WorkingDir: volumeMntPoint, - Command: podCommand, - VolumeMounts: []corev1.VolumeMount{ - { - Name: pVol, - MountPath: volumeMntPoint, - }, - }, + Name: pVol, + MountPath: volumeMntPoint, }, }, - Volumes: []corev1.Volume{{ - Name: pVol, - VolumeSource: corev1.VolumeSource{ - PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ - ClaimName: claimName, - }, - }, - }}, - DNSPolicy: corev1.DNSClusterFirst, - RestartPolicy: corev1.RestartPolicyNever, + SecurityContext: defaultSecurityContext(client), }, }, + Volumes: []corev1.Volume{{ + Name: pVol, + VolumeSource: corev1.VolumeSource{ + PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ + ClaimName: claimName, + }, + }, + }}, + DNSPolicy: corev1.DNSClusterFirst, + RestartPolicy: corev1.RestartPolicyNever, }, } localCtx, cancel := context.WithCancel(ctx) defer cancel() - podChan, err := podReady(localCtx, client.CoreV1(), jobName, namespace) - if err != nil { - return fmt.Errorf("cannot setup pod watch: %w", err) - } + ready := podReady(localCtx, client.CoreV1(), podName, namespace) - _, err = jobs.Create(ctx, job, metav1.CreateOptions{}) + _, err = pods.Create(ctx, pod, metav1.CreateOptions{}) if err != nil { return fmt.Errorf("cannot create pod: %w", err) } - var podName string select { - case poe := <-podChan: - if poe.err != nil { - return poe.err - } - podName = poe.pod.Name + case err = <-ready: case <-ctx.Done(): err = ctx.Err() case <-time.After(time.Minute * 5): diff --git a/pkg/k8s/security_context.go b/pkg/k8s/security_context.go new file mode 100644 index 000000000..ac49e967e --- /dev/null +++ b/pkg/k8s/security_context.go @@ -0,0 +1,42 @@ +package k8s + +import ( + "github.com/Masterminds/semver" + corev1 "k8s.io/api/core/v1" + "k8s.io/client-go/kubernetes" +) + +var oneTwentyFour = semver.MustParse("1.24") + +func defaultPodSecurityContext() *corev1.PodSecurityContext { + // change ownership of the mounted volume to the first non-root user uid=1000 + if IsOpenShift() { + return nil + } + runAsUser := int64(1000) + runAsGroup := int64(1000) + return &corev1.PodSecurityContext{ + RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, + FSGroup: &runAsGroup, + } +} + +func defaultSecurityContext(client *kubernetes.Clientset) *corev1.SecurityContext { + runAsNonRoot := true + sc := &corev1.SecurityContext{ + Privileged: new(bool), + AllowPrivilegeEscalation: new(bool), + RunAsNonRoot: &runAsNonRoot, + Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}}, + SeccompProfile: nil, + } + if info, err := client.ServerVersion(); err == nil { + var v *semver.Version + v, err = semver.NewVersion(info.String()) + if err == nil && v.Compare(oneTwentyFour) >= 0 { + sc.SeccompProfile = &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault} + } + } + return sc +} diff --git a/pkg/openshift/metadata.go b/pkg/openshift/metadata.go deleted file mode 100644 index 19bb4c98e..000000000 --- a/pkg/openshift/metadata.go +++ /dev/null @@ -1,50 +0,0 @@ -package openshift - -import ( - fn "knative.dev/func/pkg/functions" -) - -const ( - annotationOpenShiftVcsUri = "app.openshift.io/vcs-uri" - annotationOpenShiftVcsRef = "app.openshift.io/vcs-ref" - - labelAppK8sInstance = "app.kubernetes.io/instance" - labelOpenShiftRuntime = "app.openshift.io/runtime" -) - -var iconValuesForRuntimes = map[string]string{ - "go": "golang", - "node": "nodejs", - "python": "python", - "quarkus": "quarkus", - "springboot": "spring-boot", -} - -type OpenshiftMetadataDecorator struct{} - -func (o OpenshiftMetadataDecorator) UpdateAnnotations(f fn.Function, annotations map[string]string) map[string]string { - if annotations == nil { - annotations = map[string]string{} - } - annotations[annotationOpenShiftVcsUri] = f.Build.Git.URL - annotations[annotationOpenShiftVcsRef] = f.Build.Git.Revision - - return annotations -} - -func (o OpenshiftMetadataDecorator) UpdateLabels(f fn.Function, labels map[string]string) map[string]string { - if labels == nil { - labels = map[string]string{} - } - - // this label is used for referencing a Tekton Pipeline and deployed KService - labels[labelAppK8sInstance] = f.Name - - // if supported, set the label representing a runtime icon in Developer Console - iconValue, ok := iconValuesForRuntimes[f.Runtime] - if ok { - labels[labelOpenShiftRuntime] = iconValue - } - - return labels -} diff --git a/test/common/config.go b/test/common/config.go index 19121d05f..81c17f18e 100644 --- a/test/common/config.go +++ b/test/common/config.go @@ -4,7 +4,7 @@ import ( "os" "strings" - "knative.dev/func/pkg/openshift" + "knative.dev/func/pkg/k8s" ) // Intended to provide setup configuration for E2E tests @@ -18,8 +18,8 @@ func init() { // Setup test Registry. testRegistry = os.Getenv("E2E_REGISTRY_URL") if testRegistry == "" || testRegistry == "default" { - if openshift.IsOpenShift() { - testRegistry = openshift.GetDefaultRegistry() + if k8s.IsOpenShift() { + testRegistry = k8s.GetDefaultOpenShiftRegistry() } else { testRegistry = DefaultRegistry }